IF YOU WOULD LIKE TO GET AN ACCOUNT, please write an
email to Administrator. User accounts are meant only to access repo
and report issues and/or generate pull requests.
This is a purpose-specific Git hosting for
BaseALT
projects. Thank you for your understanding!
Только зарегистрированные пользователи имеют доступ к сервису!
Для получения аккаунта, обратитесь к администратору.
- When adopting a bare key, the creation time is the Unix epoch.
If the user doesn't manually override this using
`--creation-time`, use the current time (while respecting
`--time`).
- Add `--can-sign`, `--cannot-sign`, `--can-authenticate`,
`--cannot-authenticate`, `--can-encrypt`, `--cannot-encrypt` to `sq
key adopt`, which modify the key flags of the adopted key.
- Change `sq key adopt` to not require the key that is being adopted
to have a binding signature.
- This allows adopting "bare keys," i.e., a certificate consisting
of just a primary key. Bare keys are useful when working with raw
keys, e.g., keys generated on an OpenPGP card, a TPM device, etc.
To add them to a certificate, they just need to be wrapped in a
minimal amount of OpenPGP framing; no signatures are required.
- Fixes#25.
- Unlike other commands, `sq cert export`'s `--cert` argument only
matches on the certificate's key handle (i.e., the primary key's
key handle). It also has a `--key` argument to match on the
primary key's key handle or a subkey's key handle, which are
the semantics of the `--cert` argument for other commands.
- Change the semantics of `--cert` to that of `--key`, i.e., change
`--cert` to also match on subkey key handles. Remove the `--key`
argument since it is now redundant.
- `sq key export` can either export all keys associated with a
certificate or individual keys.
- Split the subkey-related functionality out of `sq key export` and
into the new subcommand `sq key subkey export`
- Fixes#294.
- The dot output does not fit into the output framework: it can only
describe graphs, and most of what sq emits are not graphs. Once
sq gains machine-readable output, the current functionality can be
implemented by emitting the graph data as machine-readable data,
then transforming it into dot.
- Fixes#290.
- Fixes#137.
- Add a new subcommand, `sq key subkey password`, which changes the
password protecting the secret key material of a primary key or a
subkey.
- Fixes#106.
- `sq key password`, and `sq sign --symmetric` have local arguments
to seed the password cache.
- Many commands could benefit from similar functionality.
- Add a new top-level argument, `--password-file`, to seed the
password cache.
- Rename the `--expiry` argument to `--expiration`, and adjust the
name of the corresponding fields, and data structures.
- Expiration and expiry have about the same meaning. According to
my research, "expiration" is used in American English whereas
both are used in British English.
- This change aligns the usage with RFC 4880's terminology, which
uses the word "expiration" many times, but never uses "expiry".
- In `sq key attest-certifications`, don't make `--all` the
default, but require the user to specify it explicitly.
- This makes it easier to introduce more fine-grained selectors in
the future.
- See #262.
- Change `sq pki certify`'s certifier parameter from a `PathBuf` to
a `FileOrStdin` so that it interprets `-` as meaning it should
read the certificate from stdin.
- Change `sq key revoke`, `sq key subkey revoke`, and `sq key userid
revoke` to support the cert store and key store.
- Add `--cert` to specify a certificate by key ID or fingerprint.
- If `--output` is not specified and `--cert` is, import the
modified certificate into the cert store. If `--output` is not
specified and `--cert-file` is, write the modified certificate to
stdout.
- Change the `--cert-file` and `--revoker-file` arguments to `sq key
revoked`, `sq key userid revoke`, and `sq key subkey revoke` to
interpret `-` as meaning reading from stdin.
- `sq key revoked`, `sq key userid revoke`, and `sq key subkey
revoke` have two arguments for naming a certificate:
`--certificate-file` and `--cert-file`. The latter is an alias.
Drop `--certificate-file` and promote `--cert-file`. This
harmonizes these subcommands with other subcommands, which only
use `--cert-file`.
- Rename `--revocation-file` to `--revoker-file`, as the file
contains a "revoker" not a "revocation."
- Change `sq key userid add` to support the cert store and key
store.
- Add `--cert` to specify a certificate by key ID or fingerprint.
- Change the positional file argument to `--cert-file`.
- Change the positional user ID to `--userid`.
- If `--output` is not specified and `--cert` is, import the
modified certificate into the cert store. If `--output` is not
specified and `--cert-file` is, write the modified certificate to
stdout
- Support using keys managed by `sequoia-keystore`.
- When decrypting a message, have `sq` automatically ask the
key store to decrypt the PKESKs.
- Extend `sq sign` and `sq encrypt` with the `--signer-key`
parameter to use a key managed by the keystore.
- Add two top-level options: `--no-key-store`, which disables the
use of the key store, and `--key-store`, which uses an alternate
key store instance.
- Add `sq key list` to list keys on the key store.
* Changes in 0.30.1
* Notable changes
- The `crypto-botan` feature now selects Botan's v3 interface. Use
the new `crypto-botan2` feature to continue using Botan's v2
interface.
* Notable fixes
- Several parser bugs were fixed in sequoia-openpgp 1.16.0 and
buffered-reader 1.2.0. These are all low-severity as Rust
correctly detects the out of bounds access and panics. Update
Cargo.lock to make sure we use these versions.
- sequoia-openpgp 1.16 changed `sequoia-openpgp/crypto-botan` to
build against Botan's v3 interface, and exposed
`sequoia-openpgp/crypto-botan2` to build against the v2 interface.
- Do the same. Add a `crypto-botan2` feature to allow the user to
build against Botan's v2 interface.
- When importing a certificate into the certificate store from a
verifying keyserver (via `sq keyserver get`), WKD (via `sq wkd
get`), or DANE (via `sq dane get`), certify the User IDs that the
service checks (for verifying keyservers: all; for WKD and DANE:
the User IDs with the email that was looked up).
- Have a per-service key to do the certifications (one for
keys.openpgp.org, one for keys.mailvelope.com, one for WKD, etc).
- Make the per-service certificates minimally trusted (trust amount:
1 of 120) CAs by certifying them with the local trust root.
- Add the `sq wot` subcommand, to expose web of trust functionality.
- This is just an import of the `sq-wot` CLI as `sq wot`. The
support for using the `gpg` keyring and gpg's ownertrust, however,
is removed.
- Add a new top-level option, `--keyring`, which allows users to
specify additional keyrings to search.
- When a lookup is performed, all keyrings are searched in addition
to any certificate store, and the results are merged.
- Keyrings are read only.
- When verifying a signature using `sq verify`, and a signer is not
specified using `--signer-cert`, try and authenticate them using the
web of trust using the configured certificate store.
- If we can fully authenticate a signer, consider the signature to
have been authenticated by that signer.
- Extend `sq encrypt` with the `--recipient-email` and
`--recipient-userid` arguments to allow the caller to designate a
certificate by email address or User ID, respectively. An email
address or User ID is considered to designate a certificate, if
the binding between the email address or User ID and the
certificate can be authenticated using the web of trust.
- Add support for the web of trust using the `sequoia-wot` crate.
- Add a top-level option, `--trust-root`, to allow the user to
specify trust roots.
- Add a top-level, global option `--time` to set the reference time.
- Remove subcommand's `--time` argument and use this instead.
Remove `sq key generate`'s `--creation-time` argument `sq key user
id`'s `--creation-time` argument and use this argument instead.
- Add support for a persistant certificate store using
`sequoia-cert-store`.
- Add `sq --no-cert-store` to disable the use of the certificate
store. Add `sq --cert-store PATH` to use an alternate certificate
store.
- Add `sq import` to import a certificate into the certificate
store. Add `sq export` to export certificates.
- Modify `sq certify`, `sq encrypt`, and `sq verify` to lookup
certificates in the certificate store, if it is configured.